That appears to be a sharp rise in the count of breached hotels that IHG reported in a February alert, when it reported that POS devices in restaurants and bars at 12 of its locations had been infected with malware (see Intercontinental Hotels Confirms Breach).

But IHG says that those dozen locations referred only to hotels that it directly runs, and that it didn't yet know the scope of the breach at its franchisees' locations.

Not all hotels bearing the IHG brand name are run directly by the company. "Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations," IHG says in an updated, April 14 data breach notification.

"We regret any inconvenience this may have caused," it adds.

IHG first confirmed on Dec. 28, 2016, that it was investigating a suspected payment card breach at some U.S. properties, after security blogger Brian Krebs reported that some IHG properties - particularly Holiday Inn and Holiday Inn Express locations - appeared to be experiencing unusual levels of fraud.

On Feb. 3, IHG warned customers that 12 of its hotels may have been affected.

In its most recent update, however, IHG says that it has been coordinating a related breach response and investigation "on behalf of franchisees," and that the malware appears to have infected hotel servers, before being eradicated in full across all locations by the end of March. The company says it's also working with law enforcement agencies to help investigate the breach.

Malware Intercepted Payment Card Data

The malware intercepted payment card data, but nothing else appears to have been compromised, IHG says.

"The malware searched for track data - which sometimes has cardholder name in addition to card number, expiration date, and internal verification code - read from the magnetic stripe of a payment card as it was being routed through the affected hotel server," it says. "There is no indication that other guest information was affected."

IHG has declined to say which security firm it hired to investigate the breach, what type of malware infected its POS devices, whether or not it manages the payment infrastructure that its franchisees use, or how many payment cards may have been compromised.

IHG recommends that all of its customers review their payment card statements for signs of fraud and contact their card issuer directly if they see any suspicious activity. IHG has not offered free identity theft protection services to affected consumers.

For potential victims, however, it's worth noting that users of credit cards are generally not liable for fraudulent charges if they report them in a timely manner. Legally speaking, debit card users have no such guarantees - that's why many identity theft experts recommend never paying with a debit card - although many banks will cover such losses.

Affected Hotels Span 49 States

In its statement, IHG says that the malware infected systems at front desks, and that related infections persisted from Sept. 29, 2016, until Dec. 29, 2016. "Although there is no evidence of unauthorized access to payment card data after Dec. 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017," it says.

Point-to-Point Encryption Saved Some Hotels

Some IHG-branded properties were not affected, however, because they had chosen to implement stronger cybersecurity controls. "Before this incident began, many IHG-branded franchise hotel locations had implemented IHG's Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution," according to IHG's statement. It notes that any property that implemented SPS prior to Sept. 29, 2016, was not affected by the breach.

"Many more properties implemented SPS after Sept. 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected," it adds.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;